University of Michigan community members who use Duo two-factor authentication push notifications will be required to enter a three-digit code when logging into U‑M Weblogin, starting at noon Sept. 25.
This change aims to enhance the university’s defenses against phishing and identity theft, making it significantly harder for malicious actors to impersonate legitimate users. While the new process introduces an additional step in the login routine, it does not increase the frequency of authentication prompts people will receive.
MORE INFORMATION
“I am grateful to all of you for using the Duo verified push. This additional step adds an important layer of security to our authentication process,” said Ravi Pendse, vice president for information technology and chief information officer. “It will protect our data, our community, and each one of us.”
This change only affects users who receive Duo push notifications on their mobile device.
Currently, when a user logs in using U-M Weblogin, they receive a Duo prompt on their computer screen instructing them to approve or deny the push notification on their mobile device by clicking a green “Approve” or red “Deny” button. Under the new process, the Duo prompt on their computer screen will display a three-digit code. Users will enter this code in the push notification on their mobile device and click “Verify,” or click “I’m not logging in” if they did not initiate the login.
Michigan Medicine transitioned to this change Aug. 9.
Users should ensure their Duo Mobile app is updated to the latest version. The most recent version of Duo Mobile is available from Google Play Store and the Apple App Store for devices running Android 11.0 or later and iOS 15.0 or later.
They should only accept Duo pushes that they initiated and report any unauthorized prompts via the Duo Mobile app by selecting “I’m not logging in” and “This is suspicious.” People receiving Duo prompts they did not initiate should change their password immediately.
“Our goal is to make the university’s authentication process as secure as possible without compromising convenience,” said Asmat Noori, interim executive director of information assurance and chief information security officer. “We all play a role in keeping our systems secure, and this update is an important step forward.”
The introduction of the three-digit code requirement for Duo verified push notifications is part of U-M’s broader initiative to continually improve cybersecurity. By implementing these changes, the institution underscores its commitment to ensuring a safer digital environment for everyone.
Stephen Stefanac
I use my Apple Watch for 100% of UM verifications. Will I only be able to use my phone in the future?
Christopher Connelly
So far you can use your Apple Watch, but you have to go through the ungainly process of either handwriting the digits in, or I guess you could try to voice type them in, but I haven’t tried that yet. It does undercut the convenience of it.
Christopher Connelly
Maybe they could fix the feature that when you hit reply it lets you reply rather than bouncing you up to the top of the page and just letting you leave a comment in the comment section rather than reply to a specific comment.
DePriest Dockins
Thank you for your question and suggestions about using an Apple Watch. Individuals will be able to use a smartwatch to verify, but experiences can vary by device and OS version. More information related to using a smartwatch is available at https://safecomputing.umich.edu/two-factor-authentication/upcoming-changes-to-duo#AppleWatch